As data security and privacy risks have evolved, so too has the need for insurance to cover those risks. Yet, many corporations have not matched their evolving risks to the coverage needed. For many years, the conventional wisdom was that a “brick and mortar” company had little or no need for data security/privacy coverage.
Eventually companies learned the hard way—through headline-grabbing data breaches (such as The TJX Cos.)—that data security was a risk faced by virtually all large companies, not just those that rely heavily upon Internet-related activity. The statistics are clear: The average expense of a data security breach event is large and growing—$6.8 million in 2009, up to $7.2 million in 2010 and, in many instances, can be much more. And that expense doesn’t even take into account the cost of litigation and possible settlements or judgments should a case make it past motions to dismiss.
It is impossible to know what exposure might result from a data breach event and thus exactly what insurance to purchase. The Sony PlayStation data breach, for example, has resulted in substantial litigation, including multiple class-action lawsuits. Thus, depending upon the nature and size of a data breach event, a company can face substantial litigation exposure. However, although the law presently is evolving on the issue, many courts thus far in the privacy and data breach contexts have not allowed common law litigation claims to go forward given questions regarding whether the plaintiffs have in fact suffered “damages,” and, therefore, whether they have “standing” to sue. It may be that a company’s most significant exposure is “response costs” in the nature mentioned above as opposed to litigation—meaning that it may not be cost effective to purchase substantial data breach litigation coverage.
Again, depending upon the language of the company’s current traditional coverages, litigation expenses might be covered under, for example, the CGL “property damage” or “personal or advertising injury” coverages. The New York court’s decision in the PlayStation coverage litigation may arguably provide some guidance on how those coverages apply in this context. An argument also can be made that “response costs” should be covered under for example CGL, E&O or D&O policies as necessary to mitigate or reduce the chance that the data breach event will lead to litigation—an argument that has yet to be litigated in this context.